.github/workflows/prod-deploy.yml

name: deploy to aws production

on: workflow_dispatch

env:
  repo_name: 'vision-agent'
  aws_account_id: '944932498359'
  aws_region: 'us-east-2'
  cluster_name: 'llens-app-production'
  namespace: 'datamanagement'

jobs:
  db_migration:
    runs-on: ubuntu-latest
    environment: aws-production

    permissions:
      id-token: write
      contents: read

    steps:
      - uses: actions/checkout@v4
        with:
          ref: main

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install pnpm
        run: npm install -g pnpm@9.1.1

      - name: Install dependencies
        run: pnpm install

      - name: prisma migrate deploy
        env:
          POSTGRES_PRISMA_URL: ${{ vars.DB_MIGRATION_URL }}
          POSTGRES_URL_NON_POOLING: ${{ vars.DB_MIGRATION_URL }}
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.BASTION_SSH_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan -H 3.142.222.176 >> ~/.ssh/known_hosts
          ssh -o StrictHostKeyChecking=no -fN -v -L localhost:5432:platform.db.app.landing.ai:5432 ubuntu@ec2-3-142-222-176.us-east-2.compute.amazonaws.com
          pnpm prisma migrate deploy

  deploy_to_aws_production:
    needs: db_migration

    runs-on: ubuntu-latest
    environment: aws-production

    permissions:
      id-token: write
      contents: write

    steps:
      - uses: actions/checkout@v4
        with:
          ref: main

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::${{ env.aws_account_id }}:role/github-actions-role
          aws-region: ${{ env.aws_region }}

      - name: kubeconfig
        run: |
          aws sts get-caller-identity
          aws eks update-kubeconfig --name ${{ env.cluster_name }} --region ${{ env.aws_region }}

      - name: install helm
        run: |
          curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

      - name: get image tag based on the sha
        id: sha_short
        run: |
          echo "image_tag=$(git rev-parse --short HEAD)"
          echo "image_tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

      - name: helm upgrade --install
        env:
          IMAGE_TAG: ${{ steps.sha_short.outputs.image_tag }}
        run: |
          helm upgrade --install --wait -n ${{ env.namespace }} ${{ env.repo_name }} -f chart/${{ vars.VALUES_FILE }} ./chart \
            --set image.tag=$IMAGE_TAG \
            --set env.AWS_BUCKET_NAME=${{ vars.AWS_BUCKET_NAME }} \
            --set env.AWS_REGION=${{ vars.AWS_REGION }} \
            --set env.NEXTAUTH_URL=${{ vars.NEXTAUTH_URL }} \
            --set env.AUTH_GITHUB_ID=${{ vars.AUTH_GITHUB_ID }} \
            --set env.AUTH_GITHUB_SECRET=${{ vars.AUTH_GITHUB_SECRET }} \
            --set env.AUTH_SECRET=${{ vars.AUTH_SECRET }} \
            --set env.AUTH_TRUST_HOST=${{ vars.AUTH_TRUST_HOST }} \
            --set env.AWS_ACCESS_KEY_ID=${{ vars.AWS_ACCESS_KEY_ID }} \
            --set env.AWS_SECRET_ACCESS_KEY=${{ vars.AWS_SECRET_ACCESS_KEY }} \
            --set env.GOOGLE_CLIENT_ID=${{ vars.GOOGLE_CLIENT_ID }} \
            --set env.GOOGLE_SECRET=${{ vars.GOOGLE_SECRET }} \
            --set env.LOKI_AUTH_USER_PASSWORD=${{ vars.LOKI_AUTH_USER_PASSWORD }} \
            --set env.OPENAI_API_KEY=${{ vars.OPENAI_API_KEY }} \
            --set env.POSTGRES_PRISMA_URL=${{ vars.POSTGRES_PRISMA_URL }} \
            --set env.AGENT_HOST=${{ vars.AGENT_HOST }}

      - name: Generate new tag
        id: vars
        run: |
          NEW_TAG_BASE="aws-production-$(date +%Y-%m-%d)"
          LAST_TAG=$(git ls-remote --tags origin "${NEW_TAG_BASE}*" | awk -F'\t' '{print $2}' | sort -V | tail -1)
          if [[ $LAST_TAG == refs/tags/${NEW_TAG_BASE}* ]]; then
            INDEX=$(echo $LAST_TAG | awk -F"/" '{print $NF}' )
            INDEX=$((INDEX + 1))
          else
            INDEX=1
          fi
          NEW_TAG="${NEW_TAG_BASE}/${INDEX}"

          echo "NEW_TAG=${NEW_TAG}" >> $GITHUB_ENV

      - name: Push new tag
        run: |
          git tag $NEW_TAG
          git push origin $NEW_TAG

      - name: Create production release with generated release notes
        env:
          GH_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }}
        run: |
          # List all releases and filter out drafts
          draft_releases=$(gh release list --json tagName,isDraft --jq '.[] | select(.isDraft) | .tagName')

          # Loop through each draft release and delete it (created by cicd.yml)
          for release in $draft_releases; do
            echo "Deleting draft release: $release"
            gh release delete "$release" --yes
          done
          gh release create $NEW_TAG --generate-notes